subject:"Postfix tls error"

Re: postfix-tls error

2017-08-07 Thread Viktor Dukhovni

On Fri, Aug 04, 2017 at 12:31:53PM +0530, hyndavirap...@bel.co.in wrote:

> >> Can you help me to solve this problem
> >
> > Not without the requested logging, and copy of the server and CA
> > certificates.

> TLS logging is as below,

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> certificate verification depth=1 verify=1

Your nexthop domain is "201.123.1.4" what is the verbatim entry in
the transport table that makes it so?

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in,

The subject CN is:

subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in

not "1CorpHQ"!  That "/emailaddress" is, despite appearances to
the contrary, part of the subject CN and not a separate RDN component.

> issuer_CN=CA/emailAddress=ca_ad...@bel.co.in,

Ditto here, though that is not a problem.

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
> established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The certificate chain is valid, but the name does not match.

> tls_policy entry is given below
> 
> [201.123.1.4]:25  secure  match=1CorpHQ

Do make sure that the transport table entry is:

1CorpHQ.tcs.mil.in smtp:[201.123.1.4]:25

and not some variant.  On the other hand, I would have gone with
just:

transport:
1CorpHQ.tcs.mil.in smtp:[201.123.1.4]

tls_policy:
[201.123.1.4]   secure  match=1CorpHQ

i.e. leave off the implicit ":25" in both.  Of course your real
problem is the "/emailaddress=..." in the subject CN.

You posted only the text form of the certificate, the evidence would
have been more conclusion with the actual PEM certificate included.

-- 
Viktor.

Re: postfix-tls error

2017-08-04 Thread hyndavirapuru


> On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote:
>
>> > He's not posted the configuration of the sending system or
>> > its logs.  This is a waste of everyone's time.
>
> The relevant logging is the TLS-related logging from the sending
> postfix/smtp client process that happens *before* the message is
> finally deferred and is enabled via smtp_tls_loglevel=1.
>
>> smtp_enforce_tls = yes
>
> Instead, "smtp_tls_security_level = encrypt".
>
>> smtp_tls_loglevel = 1
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> Post the relevant tls policy table entry.
>
>> smtp_use_tls = yes
>
> This is unnecessary.
>
>> transport_maps = hash:/etc/postfix/transportmap
>>
>> Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
>> to=, orig_to=,
>> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
>> status=deferred (Server certificate not verified)
>
> The server certificate failed to verify.  Perhaps expired, perhaps
> not issued by the CA you've configured, or a missing intermediate
> certificate, or the certificate is not suitable for TLS (maybe it
> has some other extended key usage), or ...
>
>> Can you help me to solve this problem
>
> Not without the requested logging, and copy of the server and CA
> certificates.
>
> --
>   Viktor.
>



hi Viktor,


TLS logging is as below,


Aug  4 11:52:29 AHQ postfix/smtp[11652]: initializing the client-side TLS
engine
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:before/connect
initialization
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv2/v3 write client
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=1 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=CA/emailAddress=ca_ad...@bel.co.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=0 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
certificate A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server key
exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server done A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write client
key exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write change
cipher spec A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 flush data
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
session ticket A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25
CommonName 1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in,
issuer_CN=CA/emailAddress=ca_ad...@bel.co.in,
fingerprint=99:EE:C4:42:4B:89:4F:1D:4C:93:18:48:7B:EA:90:9D,
pkey_fingerprint=5D:0D:58:AF:8B:A8:2C:D5:5F:9F:D2:DB:29:89:57:BD
Aug  4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 249ED60E5225:
to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=0.05, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified)


tls_policy entry is given below

[201.123.1.4]:25secure  match=1CorpHQ


I have checked server certificate against ca cert using openssl command.
it is fine

[root@AHQ certs]# openssl verify -verbose -CAfile cacert.pem
1corphq_smtp_ad...@tcs.mil.in.pem
1corphq_smtp_ad...@tcs.mil.in.pem: OK

and the same ca certificate is existing in ca-bundle.crt


I'm attaching 1CorpHQ server certificate details with the mail

-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168


कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य

Re: postfix-tls error

2017-08-03 Thread Viktor Dukhovni

On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote:

> > He's not posted the configuration of the sending system or
> > its logs.  This is a waste of everyone's time.

The relevant logging is the TLS-related logging from the sending
postfix/smtp client process that happens *before* the message is
finally deferred and is enabled via smtp_tls_loglevel=1.

> smtp_enforce_tls = yes

Instead, "smtp_tls_security_level = encrypt".

> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Post the relevant tls policy table entry.

> smtp_use_tls = yes

This is unnecessary.

> transport_maps = hash:/etc/postfix/transportmap
> 
> Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
> to=, orig_to=,
> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
> status=deferred (Server certificate not verified)

The server certificate failed to verify.  Perhaps expired, perhaps
not issued by the CA you've configured, or a missing intermediate
certificate, or the certificate is not suitable for TLS (maybe it
has some other extended key usage), or ...

> Can you help me to solve this problem

Not without the requested logging, and copy of the server and CA
certificates.

-- 
Viktor.

Re: postfix-tls error

2017-08-03 Thread hyndavirapuru

> On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote:
>
>> >> smtpd_tls_loglevel = 2
>> >
>> > Change that to 1, and also set:
>> >
>> > smtp_tls_security_level = 1
>>
>>
>> Oops, that should be
>>
>>smtp_tls_loglevel = 1
>
> Indeed a typo, thanks for the corection, ... and then the OP must
> *POST* the resulting logging.
>
> He's not posted the configuration of the sending system or
> its logs.  This is a waste of everyone's time.
>
> --
>   Viktor.
>

Hi viktor,

By mistake, i have posted receiving server configuration.

Below is the configuration of the sending system

bounce_queue_lifetime = 40s
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 8h
mydestination = $myhostname.$mydomain,$myhostname, $myhostname,
localhost.localdomain
mydomain = tcs.mil.in
myhostname = AHQserver.tcs.mil.in
mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.1.0/24, 201.123.2.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 30s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_use_tls = yes
smtpd_starttls_timeout = 300s
smtpd_tls_CApath = /root/hyndavi/certs
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /root/hyndavi/certs/ahq_smtp_ad...@tcs.mil.in.pem
smtpd_tls_key_file = /root/hyndavi/certs/ahq_smtp_ad...@tcs.mil.in.key
smtpd_tls_security_level = encrypt
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers,
ldap:/etc/postfix/ldapdistlist.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = AHQ.tcs.mil.in
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000

As i have already told ca-bundle.crt is having ca certificate. Both the
sending and receiving server certificates have been generated with the
same CA certificate. CA is a self signed certificate.

After doing configuration changes whatever have been suggested, I have
sent mail from AHQ server to 1CorpHQ server. below is the Log

Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
status=deferred (Server certificate not verified)

Can you help me to solve this problem

-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त 
जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत 
इलेक्ट्रॉनिक्स के प्रेषक को बताएँ 
या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और 
उसके साथ लगे संलग्नकों को नष्ट कर दें । 
The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: postfix-tls error

2017-08-02 Thread Viktor Dukhovni

On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote:

> >> smtpd_tls_loglevel = 2
> > 
> > Change that to 1, and also set:
> > 
> > smtp_tls_security_level = 1
> 
> 
> Oops, that should be
> 
>smtp_tls_loglevel = 1

Indeed a typo, thanks for the corection, ... and then the OP must
*POST* the resulting logging.

He's not posted the configuration of the sending system or
its logs.  This is a waste of everyone's time.

-- 
Viktor.

Re: postfix-tls error

2017-08-02 Thread Noel Jones

On 8/2/2017 2:19 AM, Viktor Dukhovni wrote:
> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote:
> 
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=, orig_to=,
>> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
>> dsn=4.7.5, status=deferred (Server certificate not verified) "
> 
> That's nice, but where's the SMTP client's TLS logging?
> 
>> queue_run_delay = 30s
> 
> Unrelated, but surely too short.
> 
>> smtp_enforce_tls = yes
> 
> Obsolete, instead set "smtp_tls_security_level = encrypt".
> 
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> 
> This has to be sufficient to verify the remote server's certificate.
> 
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
> 
> Change that to 1, and also set:
> 
> smtp_tls_security_level = 1



Oops, that should be

   smtp_tls_loglevel = 1



> 
>> tls_policy file is as follows
>>
>> [201.123.1.4]:25 secure  match=1CorpHQ
>>
>> "1CorpHQ" is exactly same as the CN field of the certificate
> 
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
> 
>> How to solve the above error...I'm stuck at this point for a long time...
>> Any help will be appreciated greatly...
> 
> Post TLS logging,  after setting the loglevel = 1.
>

Re: postfix-tls error

2017-08-02 Thread hyndavirapuru

> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote:
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "
> That's nice, but where's the SMTP client's TLS logging?
>> queue_run_delay = 30s
> Unrelated, but surely too short.
>> smtp_enforce_tls = yes
> Obsolete, instead set "smtp_tls_security_level = encrypt".
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
> Change that to 1, and also set:
> smtp_tls_security_level = 1
>> tls_policy file is as follows
>> [201.123.1.4]:25 secure  match=1CorpHQ
>> "1CorpHQ" is exactly same as the CN field of the certificate
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
>> How to solve the above error...I'm stuck at this point for a long time...
>> Any help will be appreciated greatly...
> Post TLS logging,  after setting the loglevel = 1.
> --
>   Viktor.

mail flow is as follows

1. sending mail from Cdr.AHQ user to Cdr.1CorpHQ user

2. mail is reaching AHQ mail server successfully (by completing TLS
negotiation successfully)

3. AHQ mail server identied that mail has to go to 1CorpHQ mailserver

4. TLS negotiation has started

5. BUt AHQ mail server not able to verify 1CorpHQ mail server certificate

I have posted 1CorpHQ mail server postconf. For AHQ server also
configuration is same except hostname and virtual_mailbox_domain name.

-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल 
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या supp...@bel.co.in पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately and
destroy all copies of this message and any attachments.

कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त 
जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत 
इलेक्ट्रॉनिक्स के प्रेषक को बताएँ 
या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और 
उसके साथ लगे संलग्नकों को नष्ट कर दें । 
The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: postfix-tls error

2017-08-02 Thread hyndavirapuru

> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote:
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "
> That's nice, but where's the SMTP client's TLS logging?
>> queue_run_delay = 30s
> Unrelated, but surely too short.
>> smtp_enforce_tls = yes
> Obsolete, instead set "smtp_tls_security_level = encrypt".
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
> Change that to 1, and also set:
> smtp_tls_security_level = 1
>> tls_policy file is as follows
>> [201.123.1.4]:25 secure  match=1CorpHQ
>> "1CorpHQ" is exactly same as the CN field of the certificate
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
>> How to solve the above error...I'm stuck at this point for a long
time...
>> Any help will be appreciated greatly...
> Post TLS logging,  after setting the loglevel = 1.
> --
>   Viktor.

>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.

Both the server certificates are generated from the same CA and the same
CA certificate has been added into ca-bundle.crt

CA certificate is  self signed certificate.

I have changed smtpd_tls_loglevel to 1. Even after that logs are same in
maillog file.
-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल 
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या supp...@bel.co.in पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately and
destroy all copies of this message and any attachments.

कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त 
जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत 
इलेक्ट्रॉनिक्स के प्रेषक को बताएँ 
या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और 
उसके साथ लगे संलग्नकों को नष्ट कर दें । 
The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: postfix-tls error

2017-08-02 Thread Viktor Dukhovni

On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote:

> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
> to=, orig_to=,
> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
> dsn=4.7.5, status=deferred (Server certificate not verified) "

That's nice, but where's the SMTP client's TLS logging?

> queue_run_delay = 30s

Unrelated, but surely too short.

> smtp_enforce_tls = yes

Obsolete, instead set "smtp_tls_security_level = encrypt".

> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt

This has to be sufficient to verify the remote server's certificate.

> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtpd_tls_loglevel = 2

Change that to 1, and also set:

smtp_tls_security_level = 1

> tls_policy file is as follows
> 
> [201.123.1.4]:25  secure  match=1CorpHQ
> 
> "1CorpHQ" is exactly same as the CN field of the certificate

Are there any DNS subject alternative names in the certificate?
Is it issued by a trusted CA? ...

> How to solve the above error...I'm stuck at this point for a long time...
> Any help will be appreciated greatly...

Post TLS logging,  after setting the loglevel = 1.

-- 
Viktor.

postfix-tls error

2017-08-02 Thread hyndavirapuru

Hi,

I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
mail from simple java client to server it is working fine. TLS negotiation
happened properly. But when MTA1 try to send mail to other MTA,  mail is
getting deferred by writing following log


" Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "


"postconf -n " output is as follows


bounce_queue_lifetime = 40s
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 5000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 8h
mydestination = $myhostname.$mydomain,$myhostname, $myhostname,
localhost.localdomain
mydomain = tcs.mil.in
myhostname = 1CorpHQserver.tcs.mil.in
mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.2.0/24, 201.123.1.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 30s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_starttls_timeout = 300s
smtpd_tls_CApath = /etc/postfix_certs_24_7_17/ca_cert
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file =
/etc/postfix_certs_24_7_17/1corphq_smtp_ad...@tcs.mil.in.pem
smtpd_tls_key_file =
/etc/postfix_certs_24_7_17/1corphq_smtp_ad...@tcs.mil.in.key
smtpd_tls_loglevel = 2
smtpd_tls_security_level = encrypt
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers,
ldap:/etc/postfix/ldapdistlist.cf
virtual_gid_maps = static:6000
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = 1CorpHQ.tcs.mil.in
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers
virtual_minimum_uid = 1000
virtual_uid_maps = static:6000
=

tls_policy file is as follows

[201.123.1.4]:25secure  match=1CorpHQ


"1CorpHQ" is exactly same as the CN field of the certificate



How to solve the above error...I'm stuck at this point for a long time...
Any help will be appreciated greatly...

-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल 
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या supp...@bel.co.in पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately and
destroy all copies of this message and any attachments.






कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त 
जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत 
इलेक्ट्रॉनिक्स के प्रेषक को बताएँ 
या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और 
उसके साथ लगे संलग्नकों को नष्ट कर दें

Re: postfix tls error on port 587

2015-11-02 Thread Viktor Dukhovni

On Sun, Nov 01, 2015 at 08:08:46PM -0500, David Mehler wrote:

> Thanks. Don't ask me how, but flipping the tls protocols from the list
> I had to high and now the 587 works.

No idea what that means, but so long as you're satisfied...

-- 
Viktor.

Re: Postfix tls error

2015-11-02 Thread hyndavirapuru

> On Sat, Oct 31, 2015 at 04:10:33PM +0530, hyndavirap...@bel.co.in wrote:
>
>> tls_policy  file contains:
>>
>> [201.123.80.173]:25  encrypt  match=AHQserver
>
> Is the name in the certificate really not fully-qualified? The
> "encrypt" policy does not entail certificate verification.
> Try:
>
> [201.123.80.173]:25   secure  match=AHQserver
>
>> transport map details are as follows
>>
>> AHQ.tcs.mil.example  relay:[201.123.80.173]:25
>
> That's fine.
>
>> Subject: C=Example, ST=karnataka, O=bel, OU=crl,
>> CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example
>
> Is there a subjectAlternativeName extension in the certificate?
>
> When DNS names are present in the SAN extension, the subject
> CommonName is ignored.
>
> --
>   Viktor.
>

Thanks for the reply...

by changing following line of tls_policy

[201.123.80.173]:25 encrypt  match=AHQserver

with

[201.123.80.173]:25 secure  match=AHQserver

solved my problem. thank you so much...

--
hyndavi

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 
Confidentiality Notice

The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: postfix tls error on port 587

2015-11-01 Thread Viktor Dukhovni

On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote:

> Still stuck. I've got the below not sure if it helps, it does show
> that on 143 and 587 client wise no peer is being sent or verified.
> 
> openssl s_client -starttls smtp -connect localhost:587
> CONNECTED(0003)
> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:

The thing on port 587 is not speaking any recognizable form of TLS.
Logs from the peer would be quite useful in this context.

> openssl s_client -starttls smtp -connect localhost:143
> CONNECTED(0003)

Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not
likely to get far for that port.

> # TLS parameters
> smtpd_tls_auth_only = yes
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA

That looks rather like a random hodge-podge.  Try:

smtpd_tls_ciphers = medium

instead.

> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA

Ditto.

> Any help appreciated.

Logs.

-- 
Viktor.

Re: postfix tls error on port 587

2015-11-01 Thread David Mehler

Hi,

Thanks. The only thing I have in the maillog is a connection made, tls
established, then the connection is dropped.

Thanks.
Dave.


On 11/1/15, Viktor Dukhovni  wrote:
> On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote:
>
>> Still stuck. I've got the below not sure if it helps, it does show
>> that on 143 and 587 client wise no peer is being sent or verified.
>>
>> openssl s_client -starttls smtp -connect localhost:587
>> CONNECTED(0003)
>> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
>
> The thing on port 587 is not speaking any recognizable form of TLS.
> Logs from the peer would be quite useful in this context.
>
>> openssl s_client -starttls smtp -connect localhost:143
>> CONNECTED(0003)
>
> Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not
> likely to get far for that port.
>
>> # TLS parameters
>> smtpd_tls_auth_only = yes
>> smtpd_tls_mandatory_ciphers = high
>> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
>> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
>> CBC3-SHA
>
> That looks rather like a random hodge-podge.  Try:
>
> smtpd_tls_ciphers = medium
>
> instead.
>
>> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
>> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
>> CBC3-SHA
>
> Ditto.
>
>> Any help appreciated.
>
> Logs.
>
> --
>   Viktor.
>

Re: postfix tls error on port 587

2015-11-01 Thread David Mehler

Hello,

Thanks. Don't ask me how, but flipping the tls protocols from the list
I had to high and now the 587 works. Imap on 143 still won't, but
that's not for this list. The point is for the moment it is working.

Thanks for all your help.

Thanks.
Dave.

On 11/1/15, Viktor Dukhovni  wrote:
> On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote:
>
>> Thanks. The only thing I have in the maillog is a connection made, tls
>> established, then the connection is dropped.
>
> Not possible.  Those logs don't match the report of a failed SSL
> connection on the client side.
>
> --
>   Viktor.
>

Re: postfix tls error on port 587

2015-11-01 Thread David Mehler

Hello,

Still stuck. I've got the below not sure if it helps, it does show
that on 143 and 587 client wise no peer is being sent or verified.

openssl s_client -starttls smtp -connect localhost:587
CONNECTED(0003)
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 220 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

openssl s_client -starttls smtp -connect localhost:587e     :143
CONNECTED(0003)
didn't found starttls in server response, try anyway...
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Here's my postfix tls and sasl configuration:

main.cf:
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#smtpd_sasl_authenticated_header = yes

smtpd_recipient_restrictions =
  permit_mynetworks
 permit_sasl_authenticated
  reject_unauth_destination
 check_sender_access hash:/usr/local/etc/postfix/safe_addresses
 check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
 check_client_access cidr:/usr/local/etc/postfix/spamfarms
 check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
 permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access 
pcre:/usr/local/etc/postfix/fqrdns.pcre
 reject_unknown_reverse_client_hostname
  reject_non_fqdn_sender
 reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 reject_unknown_helo_hostname
 reject_unlisted_recipient
 reject_rbl_client b.barracudacentral.org
 reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
 reject_rhsbl_client dbl.spamhaus.org
 reject_rhsbl_sender dbl.spamhaus.org
 reject_rhsbl_helo dbl.spamhaus.org
  check_policy_service unix:private/spf-policy
# Postfix Quota status service
 check_policy_service inet:127.0.0.1:12345

smtpd_data_restrictions = reject_unauth_pipelining

# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt

Any help appreciated.

Thanks.
Dave.

On 10/31/15, Viktor Dukhovni  wrote:
> On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote:
>
>> Thank you. I apologize, let me clarify my statement. I have created my
>> own CA on an offline machine which I use to sign all of my
>> certificates.
>
> Good, that removes ambiguity.
>
>> When you say the client doesn't trust the server certificate, that's
>> not the webmail, that's the submission service not trusting the
>> postfix ServerCertificate, ServerKey, and ServerCAfile options?
>
> Whatever connects to your port 587 submission service is what's
> not trusting the certificate, and sending an alert to that effect,
> which the server logs.
>
>> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
>> >> from
>> >> localhost[::1]: 0
>> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS
>> >> library
>> >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>> >>

Re: postfix tls error on port 587

2015-11-01 Thread Viktor Dukhovni

On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote:

> Thanks. The only thing I have in the maillog is a connection made, tls
> established, then the connection is dropped.

Not possible.  Those logs don't match the report of a failed SSL
connection on the client side.

-- 
Viktor.

Re: Postfix tls error

2015-10-31 Thread hyndavirapuru

> hyndavirap...@bel.co.example:
>> 1. error log before adding "smtp_tls_CAfile" param is as follows
>>
>
> I replaced the top-level domain name for privacy reasons.
>
>> postfix/smtp[3525]: certificate verification failed for
>> 201.123.80.173[201.123.80.173]:25: untrusted issuer
>> /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example
>
> The certificate could not be verified because an issuer in the
> trust chain was not known.
>
>> postfix/smtp[3525]: 804E8232A0: to=,
>> relay=201.123.80.173[201.123.80.173]:25, delay=10,
>> delays=0.13/0.01/10/0,
>> dsn=4.7.5, status=deferred (Server certificate not trusted)
>
> You require certificate verification, and thus mail is dederred.
>
>> 2. Error log after adding  following param
>>
>> smtp_tls_CAfile = /root/hyndavi/CA_cert.pem
>>
>> postfix/smtp[6891]: 17A3F232B1: to=,
>> relay=201.123.80.173[201.123.80.173]:25, delay=337,
>> delays=327/0.02/10/0,
>> dsn=4.7.5, status=deferred (Server certificate not verified)
>
> Now it knows the issuer, but the name in the certificate does not
> match what Postfix expected. The default is to match the next-hop
> domain but you can change that per-destination in smtp_tls_policy_maps
> with the "match=" attribute, or globally with smtp_tls_secure_cert_match.
>
>   Wietse
>


Thanks for the reply. I have added following line to main.cf

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy


tls_policy  file contains:

[201.123.80.173]:25 encrypt  match=AHQserver


transport map details are as follows

AHQ.tcs.mil.example relay:[201.123.80.173]:25


and server certificate details are

Subject: C=Example, ST=karnataka, O=bel, OU=crl,
CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example



After adding smtp_tls_policy_maps also I'm getting same "server
certificate not verified"  error...

Am i missing anything?  Is tls_policy file details are proper?

Thinking you in advance...


--
Regards
Hyndavi





Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 
Confidentiality Notice

The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: Postfix tls error

2015-10-31 Thread Viktor Dukhovni

On Sat, Oct 31, 2015 at 04:10:33PM +0530, hyndavirap...@bel.co.in wrote:

> tls_policy  file contains:
> 
> [201.123.80.173]:25   encrypt  match=AHQserver

Is the name in the certificate really not fully-qualified? The
"encrypt" policy does not entail certificate verification.
Try:

[201.123.80.173]:25 secure  match=AHQserver

> transport map details are as follows
> 
> AHQ.tcs.mil.example   relay:[201.123.80.173]:25

That's fine.

> Subject: C=Example, ST=karnataka, O=bel, OU=crl,
> CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example

Is there a subjectAlternativeName extension in the certificate?

When DNS names are present in the SAN extension, the subject
CommonName is ignored.

-- 
Viktor.

Re: postfix tls error on port 587

2015-10-31 Thread David Mehler

Hello,

Thank you. I apologize, let me clarify my statement. I have created my
own CA on an offline machine which I use to sign all of my
certificates.

When you say the client doesn't trust the server certificate, that's
not the webmail, that's the submission service not trusting the
postfix ServerCertificate, ServerKey, and ServerCAfile options?

Thanks.
Dave.


On 10/31/15, Viktor Dukhovni  wrote:
> On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote:
>
>> I am using self-signed certificates via my own CA if that matters.
>
> A certificate is either self-signed, or issued by a CA.  Which is it?
>
>> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from
>> localhost[::1]: 0
>> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library
>> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
>> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
>> alert number 48:
>
> TLS "alerts" are messages from the remote TLS stack to the local
> TLS stack.  It is the client does not trust the server certificate
> and hangs up.  The server just logs the client's reason for aborting
> the connection.
>
>> I'm not sure the CA it's refering to.
>
> The issuer of the server certificate.
>
>> I do have my CA's public
>> certificate defined in smtpd_tls_CAfile and have the smtp client
>> defining smtp_tls_CAfile as the same file as the smtpd server.
>
> The client does not trust the server certificate.
>
> --
>   Viktor.
>

Re: postfix tls error on port 587

2015-10-31 Thread Viktor Dukhovni

On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote:

> Thank you. I apologize, let me clarify my statement. I have created my
> own CA on an offline machine which I use to sign all of my
> certificates.

Good, that removes ambiguity.

> When you say the client doesn't trust the server certificate, that's
> not the webmail, that's the submission service not trusting the
> postfix ServerCertificate, ServerKey, and ServerCAfile options?

Whatever connects to your port 587 submission service is what's
not trusting the certificate, and sending an alert to that effect,
which the server logs.

> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from
> >> localhost[::1]: 0
> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library
> >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
> >> alert number 48:

In this case the client is "[::1]".

More light on this problem is shed in the client logs, rather than
the server logs.

-- 
Viktor.

postfix tls error on port 587

2015-10-31 Thread David Mehler

Hello,

I'm running a FreeBSD 10.2 system, postfix 2.11.6, Openssl 1.0.1P. I'm
working on setting up a webmail client to my existing
Postfix/Dovecot/Mysql setup. I've tried two webmail clients both are
giving me the below errors when the webmail client (postfix dovecot
mysql the web server are all running on the same machine), atempts to
send mail through port 587. I am using port 587 because I've got
postscreen running on port 25.

I am using self-signed certificates via my own CA if that matters.
Here's the error:

Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: connect from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
from localhost[::1]: 0
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS
library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown 
ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
alert number 48:
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: lost connection
after STARTTLS from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: disconnect from
localhost[::1]


I'm not sure the CA it's refering to. I do have my CA's public
certificate defined in smtpd_tls_CAfile and have the smtp client
defining smtp_tls_CAfile as the same file as the smtpd server.

Again not sure if this matters I'm running Apache 2.4 and Php 5.6.


I'd appreciate any suggestions.

Thanks.
Dave.

Re: postfix tls error on port 587

2015-10-31 Thread Viktor Dukhovni

On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote:

> I am using self-signed certificates via my own CA if that matters.

A certificate is either self-signed, or issued by a CA.  Which is it?

> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from 
> localhost[::1]: 0
> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library 
> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL 
> alert number 48:

TLS "alerts" are messages from the remote TLS stack to the local
TLS stack.  It is the client does not trust the server certificate
and hangs up.  The server just logs the client's reason for aborting
the connection.

> I'm not sure the CA it's refering to.

The issuer of the server certificate.

> I do have my CA's public
> certificate defined in smtpd_tls_CAfile and have the smtp client
> defining smtp_tls_CAfile as the same file as the smtpd server.

The client does not trust the server certificate.

-- 
Viktor.

Re: Postfix tls error

2015-10-31 Thread Wietse Venema

hyndavirap...@bel.co.in:
> AHQ.tcs.mil.example   relay:[201.123.80.173]:25
...
> [201.123.80.173]:25   encrypt  match=AHQserver
...
> CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example

The match= requires a complete match (case-insensitive). You specify
only a substring of the CN attribute.

Wietse

Re: Postfix tls error

2015-10-31 Thread Viktor Dukhovni

On Sat, Oct 31, 2015 at 10:16:37AM -0400, Wietse Venema wrote:

> hyndavirap...@bel.co.in:
> > AHQ.tcs.mil.example relay:[201.123.80.173]:25
> ...
> > [201.123.80.173]:25 encrypt  match=AHQserver
> ...
> > CN=AHQserver/emailAddress=ahqserver_smtp_ad...@tcs.mil.example
> 
> The match= requires a complete match (case-insensitive). You specify
> only a substring of the CN attribute.

Well the CN is just the short name, the real problem "encrypt" and
possibly an SAN DNS entries that preempt the CommonName from the
subject DN.

-- 
Viktor.

Re: Postfix tls error

2015-10-30 Thread Wietse Venema

hyndavirap...@bel.co.example:
> 1. error log before adding "smtp_tls_CAfile" param is as follows
> 

I replaced the top-level domain name for privacy reasons.

> postfix/smtp[3525]: certificate verification failed for
> 201.123.80.173[201.123.80.173]:25: untrusted issuer
> /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example

The certificate could not be verified because an issuer in the
trust chain was not known.

> postfix/smtp[3525]: 804E8232A0: to=,
> relay=201.123.80.173[201.123.80.173]:25, delay=10, delays=0.13/0.01/10/0,
> dsn=4.7.5, status=deferred (Server certificate not trusted)

You require certificate verification, and thus mail is dederred.

> 2. Error log after adding  following param
> 
> smtp_tls_CAfile = /root/hyndavi/CA_cert.pem
> 
> postfix/smtp[6891]: 17A3F232B1: to=,
> relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> dsn=4.7.5, status=deferred (Server certificate not verified)

Now it knows the issuer, but the name in the certificate does not
match what Postfix expected. The default is to match the next-hop
domain but you can change that per-destination in smtp_tls_policy_maps
with the "match=" attribute, or globally with smtp_tls_secure_cert_match.

Wietse

Re: Postfix tls error

2015-10-30 Thread Viktor Dukhovni

On Fri, Oct 30, 2015 at 09:20:05AM -0400, Wietse Venema wrote:

> > postfix/smtp[6891]: 17A3F232B1: to=,
> > relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> > dsn=4.7.5, status=deferred (Server certificate not verified)
> 
> Now it knows the issuer, but the name in the certificate does not
> match what Postfix expected. The default is to match the next-hop
> domain but you can change that per-destination in smtp_tls_policy_maps
> with the "match=" attribute, or globally with smtp_tls_secure_cert_match.

Note that with a nexthop relay of [201.123.80.173], default matching
the relay hostname won't work either.  If the recipient domain does
not appear in the peer certificate, then an explicit "match=..."
in the destinatijon policy MUST be specified to match this SMTP server.

-- 
Viktor.

Re: Postfix tls error

2015-10-29 Thread Wietse Venema

hyndavirap...@bel.co.in:
> 
> Hi,
> 
> I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
> mail from simple java client to server it is working fine. TLS negotiation
> happened properly. But when MTA1 try to send mail to other MTA,  TLS is
> failing by giving following error.
> 
> "certificate verification failed for [zz.zz.zz.zz]:25:
> untrusted issuer"

Please provide the COMPLETE logfile record including the program name.

> Yes, I am using self signed certificates for both the servers. Even CA is
> self signed certificate. But I have placed the CA certificate at MTA1
> server and specified the path in "smtp_tls_CAfile". But even after that
> i'm getting same error...

Please provide "postconf -n" output.

Wietse

Re: Postfix tls error

2015-10-29 Thread Karel

> On 2015-10-29 10:11, hyndavirap...@bel.co.in wrote:
>
> Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
> Trees. Don't print this email or any Files unless you really need to 

this list might be the least appropriate place to spread such agenda.
After all, a MTA is already saving trees by replacing paper mail with
electronic messages.

> Confidentiality Notice 
> The information contained in this electronic message and any 
> attachments to this message are intended for the exclusive use of
> the addressee(s) and may contain confidential or privileged 
> information. If you are not the intended recipient, please notify
> the sender at Bharat Electronics  or supp...@bel.co.in immediately
> and destroy all copies of this message and any attachments.

Do I really have to contact Bharat Electronics (supp...@bel.co.in) and
destroy all copies of this email?

This is a public mailing list with public archive. How can this message
have any other effect than making the sender and his company look
ridiculous ?

Postfix tls error

2015-10-29 Thread hyndavirapuru


Hi,

I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
mail from simple java client to server it is working fine. TLS negotiation
happened properly. But when MTA1 try to send mail to other MTA,  TLS is
failing by giving following error.

"certificate verification failed for [zz.zz.zz.zz]:25:
untrusted issuer"


Yes, I am using self signed certificates for both the servers. Even CA is
self signed certificate. But I have placed the CA certificate at MTA1
server and specified the path in "smtp_tls_CAfile". But even after that
i'm getting same error...

How to solve the above error... And if MTA need to trust different CA
certs, what is the way to solve the problem...


I'm stuck at this point for a long time... Any help will be appreciated
greatly...


Thanking you

Hyndavi



Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 
Confidentiality Notice

The information contained in this electronic message and any 
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged 
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or supp...@bel.co.in immediately
and destroy all copies of this message and any attachments.

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

Re: postfix-tls error

postfix-tls error

Re: postfix tls error on port 587

Re: Postfix tls error

Re: postfix tls error on port 587

Re: postfix tls error on port 587

Re: postfix tls error on port 587

Re: postfix tls error on port 587

Re: postfix tls error on port 587

Re: Postfix tls error

Re: Postfix tls error

Re: postfix tls error on port 587

Re: postfix tls error on port 587

postfix tls error on port 587

Re: postfix tls error on port 587

Re: Postfix tls error

Re: Postfix tls error

Re: Postfix tls error

Re: Postfix tls error

Re: Postfix tls error

Re: Postfix tls error

Postfix tls error

30 matches

Site Navigation

Mail list logo

Footer information